Export (0) Print
Expand All

IIS 5.0 Baseline Security Checklist

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
On This Page

Introduction
Internet Information Services 5 Settings
Microsoft Internet Information Services 5 Security Checklist Details
Harden Metabase Permissions
Harden ASP.NET Configuration

Introduction

This document lists some recommendations and best practices to improve the security of a server on the Web running Internet Information Services (IIS) 5.

Important: The purpose of this article is to give instructions for configuring a baseline level of security on IIS 5 servers. Additional advanced settings are provided in the complete IIS 5 security checklist on the Microsoft TechNet Security Web site.

Internet Information Services 5 Settings

Step

 

iecl01

Secure Windows 2000

 

iecl01

Run the IIS Lockdown Tool

 

iecl01

Customize UrlScan configuration

 

iecl01

Set appropriate ACLs on virtual directories

 

iecl01

Set appropriate IIS Log file ACLs

 

iecl01

Enable logging

 

iecl01

Disable or remove all sample applications

 

iecl01

Remove the IISADMPWD virtual directory

 

iecl01

Remove unused script mappings

 

iecl01

Harden metabase permissions

 

iecl01

Harden ASP.NET configuration

Microsoft Internet Information Services 5 Security Checklist Details

Secure Windows 2000

Refer to the Windows 2000 Server Baseline Security Checklist for information about securing the base platform on which IIS will be hosted.

Run the IIS Lockdown Tool

The IIS Lockdown Tool is a configurable utility that asks you to specify the application role played by your IIS server. It will then remove any functionality that is not required for the particular Web server role. You should thoroughly test any changes before implementing them in a production environment.

Customize UrlScan Configuration

The IIS Lockdown Tool installs UrlScan. UrlScan is an ISAPI filter that screens and analyzes requests IIS receives them. When properly configured, UrlScan is effective at reducing the exposure to potential Internet attacks. The default configuration of UrlScan offers significant improvement over the default configuration of IIS, IIS; however, Microsoft recommends further refining the UrlScan configuration to more closely restrict Web requests while still allowing your application to function. Ideally, only requests for file extensions used by your application will be allowed. You should thoroughly test any changes before implementing them in a production environment.

Set appropriate ACLs on virtual directories

The IIS Lockdown tool improves file permissions; however, you should further refine these permissions for your specific application. Although this procedure is somewhat application-dependent, Some rules of thumb apply:

File Type

Access Control Lists

CGI (.exe, .dll, .cmd, .pl)

Everyone (X)
Administrators (Full Control)
System (Full Control)

Script files (.asp)

Everyone (X)
Administrators (Full Control)
System (Full Control)

Include files (.inc, .shtm, .shtml)

Everyone (X)
Administrators (Full Control)
System (Full Control)

Static content (.txt, .gif, .jpg, .html)

Everyone (R)
Administrators (Full Control)
System (Full Control)

Recommended default ACLs by file type.

Rather than setting ACLs on each file, you are better off creating new directories for each file type, setting ACLs on the directory, and allowing the ACLs to inherit to the files. For example, a directory structure might look like this:

  • C:\inetpub\wwwroot\myserver\static (.html)

  • C:\inetpub\wwwroot\myserver\include (.inc)

  • C:\inetpub\wwwroot\myserver\script (.asp)

  • C:\inetpub\wwwroot\myserver\executable (.dll)

  • C:\inetpub\wwwroot\myserver\images (.gif, .jpeg)

Also, be aware that two directories need special attention:

  • C:\inetpub\ftproot (FTP server)

  • C:\inetpub\mailroot (SMTP server)

The ACLs on both these directories are Everyone (Full Control) and should be overridden with something tighter, depending on your level of functionality. Place the folder on a different volume than the IIS server if you're going to support Everyone (Write), or use Windows 2000 disk quotas to limit the amount data that can be written to these directories.

Set appropriate IIS Log file ACLs

Make sure the ACLs on the IIS-generated log files (%systemroot%\system32\LogFiles) are:

  • Administrators (Full Control)

  • System (Full Control)

  • Everyone (RWC)

This is to help prevent malicious users from deleting the files to cover their tracks.

Enable logging

Logging is paramount when you want to determine whether your server is being attacked. You should use W3C Extended Logging format by following this procedure:

  1. Load the Internet Information Services tool.

  2. Right-click the site in question, and choose Properties from the context menu.

  3. Click the Web Site tab.

  4. Check the Enable Logging check box.

  5. Choose W3C Extended Log File Format from the Active Log Format drop-down list.

  6. Click Properties.

    Click the Extended Properties tab, and set the following properties:

    • Client IP Address

    • User Name

    • Method

    • URI Stem

    • HTTP Status

    • Win32 Status

    • User Agent

    • Server IP Address

    • Server Port

The latter two properties are useful only if you host multiple Web servers on a single computer. The Win32 Status property is useful for debugging purposes. When you examine the log, look out for error 5, which means access denied. You can find out what other Win32 errors mean by entering net helpmsg err on the command line, where err is the error number you are interested in.

Disable or remove all sample applications

Samples are just that, samples; they are not installed by default and should never be installed on a production server. Note that some samples install so that they can be accessed only from http://localhost, or 127.0.0.1; however, they should still be removed.

The following table lists the default locations for some of the samples.

Sample

Virtual Directory

Location

IIS Samples

\IISSamples

c:\inetpub\iissamples

IIS Documentation

\IISHelp

c:\winnt\help\iishelp

Data Access

\MSADC

c:\program files\common files\system\msadc

Sample files included with Internet Information Services 5.

Remove the IISADMPWD virtual directory

This directory allows you to reset Windows NT and Windows 2000 passwords. It is designed primarily for intranet scenarios and is not installed as part of IIS 5. However, i but it is not removed when an IIS 4 server is upgraded to IIS 5. It should be removed if you don't use an intranet or if you connect the server to the Web. Refer to Microsoft Knowledge Base article 184619 for more information about this functionality.

Remove unused script mappings

IIS is preconfigured to support common filename extensions such as .asp and .shtm files. When IIS receives a request for a file of one of these types, the call is handled by a DLL. The IIS Lockdown Tool removes unneeded script mappings; however, your application may allow you to further refine the configuration. If you don't use some of these extensions or functionality, you should remove the mappings by following this procedure:

  1. Open Internet Services Manager.

  2. Right-click the Web server, and choose Properties.

  3. Click Master Properties

  4. Select WWW Service, click Edit, click HomeDirectory, and then click Configuration

Remove these references:

If you don't use...

Remove this entry:

Web-based password reset

.htr

Internet Database Connector (all IIS 5 Web sites should use ADO or similar technology)

.idc

Server-side Includes

.stm, .shtm, and .shtml

Internet Printing

.printer

Index Server

.htw, .ida and .idq

Note: Internet Printing can be configured through Group Policy as well as via the Internet Services Manager. If there is a conflict between the Group Policy settings and those in the Internet Service Manager, the Group Policy settings take precedence. If you remove Internet Printing via the Internet Services Manager, be sure to verify that it won't be re-enabled by either local or domain group policies. (The default Group Policy neither enables nor disables Internet Printing.) In the MMC Group Policy snap-in, click Computer Configuration, click Administrative Templates, click Printing, and then click Web-based Printing.

Note: Unless you have a mission-critical reason to use the .htr functionality, you should remove the .htr extension.

Harden Metabase Permissions

Security and other IIS configuration settings are maintained in the IIS Metabase file. The default file permissions could allow an attacker to directly edit the Metabase file. The NTFS permissions on the IIS Metabase file (and the backup Metabase file) should be hardened to ensure that attackers cannot modify the IIS configuration in any way. Microsoft recommends removing all file permissions to the Metabase, and granting Full Control to only Administrators and SYSTEM.

Harden ASP.NET Configuration

If the .NET Framework has been installed on the system, download and install the latest version of the .NET Framework and any service packs. Review the configuration of the .NET Framework, and ASP.NET in particular, to ensure ASP.NET does not increase your vulnerability to attack.

© 2001 Microsoft Corporation. All rights reserved.

Download

IIS Lockdown Tool
285 KB

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft